September 2017 - Posts

About two weeks ago, when Equifax first revealed their massive data breach, it was noted by many that the company didn't appear to be prepared nor equipped to deal with the demands of whatever contingency plans they had prepared for the day they would be hacked. That was on the first day after Equifax had gone public.

In the two weeks since, those observations have proven to be more than prescient. Because so much has happened, I present you a list. Between then and as of September 19, 2017, the following are true:

The price of Equifax's stock has plunged 35% in response to the data breach and all the other news following it.

A couple of Equifax honcho's "retired" after the breach was made public, including the Chief Security Officer (CSO).

It turns out that Equifax's CSO has a bachelor's and master's degree in music.

It should be noted, however, that she has worked in security-related positions at other big companies.

Plus, plenty of programmers (security or otherwise) are music majors, philosophy majors, art majors… you get the idea. (On the other hand, this is apparently not the case for the ex-CSO, as far as one can tell).

More than 30 lawsuits have been filed.

The Federal Trade Commission announced an investigation into the data breach.

The US DOJ started criminal investigations to see if the three executives who recently sold nearly $2 million in stock violated federal law.

Security researchers found that Equifax's Argentinian branch had an employee portal that used "admin" and "admin" for the username and password.

Equifax initially blamed a vulnerability in Apache software for the hack. The latter immediately issued a press release pointing out that a security patch had been available since March.

Speaking of March, it turns out that there was an initial data breach at Equifax that occurred in that same month.

While currently being treated separately, it could possibly be the initial ingress into Equifax, well before the July data breach that was initially proclaimed.

Equifax revealed that up to 400,000 in England had been affected by the breach.

As well as 10,000 in Canada.

And let's not forget the 143 million in the USA.

The site Equifax set up to reveal whether a person was affected by the data breach gave inaccurate answers.

That site was set up outside of the main Equifax.com site. As certain security researchers noted, it made for easy phishing. One proved it by setting up a fake site, which ended up being passed via Twitter by whoever was managing Equifax's Twitter account.

Equifax tried to charge consumers for freezing their credit reports – and then announced that they wouldn't.

Some of the reactions to the data breach are not unexpected, and yet surprising – like the lawsuits. It was expected, but thirty of them filed in less than a week? Wow.

Other outcomes, such as charging people for freezing their credit reports, are mind-blowing. It's like no one thought to consult the PR department because… at this point, what's the use?

The stock market seems to think that the other shoe has fallen. At the beginning of this week, Equifax's stock price stopped its losses and ever so slowly begun to rise, although some say that it's nothing but a dead cat bounce, either because the market hasn't effectively priced everything in or because there's more bad news on the horizon.

Based on the last couple of weeks, it wouldn't be foolhardy to wait and see what other surprises spring up.

Equifax, one of the three largest credit reporting agencies in the US, announced yesterday that they have been hacked. The leaked information includes full names, SSNs, birth dates, and addresses, among other data.

It's not the biggest hack to date – that dubious honor goes to Yahoo, which claimed 1 billion users and 500 million users (that's right; two data breaches involving over 100 million people each).

However, the Equifax data breach is more worrisome since it involves truly sensitive information. If Yahoo's data conundrum gave the bad guys a phishing line, Equifax equipped them with a ordnance store full of dynamite.

Nearly Half the US Population Affected, Took 2 Months to Raise Alert

Per Equifax's admission, approximately 143 million Americans were affected by this data breach. Taking into consideration that the US population is somewhere around 300 million people, it means that nearly 50% of the entire US has been touched by this latest hack.

And, when you consider that people are married, live together, etc, it wouldn't be surprising to find that close to 100% of American households are affected.

Even more shocking: Equifax discovered the hack on July 29 (the hack itself was in May). It took them nearly a month to go public with the information. And while that's probably within the legal boundaries, Equifax more than other companies, probably knows that going public with the admission sooner would have been better.

It is, after all, one of the go-to guys for other companies when they experience a data breach. One can only assume that Equifax knows all the ins and out of what to do when data breaches strike; they probably developed marketing and services around it. (Which brings up an interesting question: will Equifax, with a straight face, offer their own credit monitoring and identity protection services to 143 million people, "out of an abundance of caution," as the industry saying goes?)

There are even reports that credit card numbers (for approximately 200,000 people) were also stolen in the hack. Which is weird because you're not supposed to be storing such data, at least not without encryption.

Stock Down 12% After Hours, Insider Trading Accusations

The news didn't go well. Aside from all the major (and minor) news networks reporting on this latest data incidence, people with access to after hours stock trading managed to push the price down by 12% (and today's pre-market is pushing it further down).

This probably wasn't helped by reports that three executives sold $1.8 million worth of shares shortly after the data breach was discovered. It could very well have been "innocent" (the sales were not pre-scheduled) but such news incentivizes outsiders to start dumping shares now, ask questions later.

All in all, these are not the actions of an organization prepared to meet head-on the demands of a data contingency plan.

Which is surprising.

Equifax and other similar companies know they are hacking targets for the digital data that they possess. They are the mother lode, so to speak. One would have expected them to plan accordingly, but if you look at tweets and whatnot, it's beginning to look like they were caught with their pants down in every aspect.

For example, someone managed to reach Equifax's help, and the person on the end of the line admitted being hired outside help and not having access to a database for checking whether the caller was affected or not by the data breach. More than one month into discovering the data breach.

The Silver Lining

Can any good come out of this? When you consider that half of the US is affected, you just know that government officials are going to be swept up in this. Perhaps enough P.O.'ed congresspeople will lead to something (finally).

But, if the past is the guide to the future, you're best off betting that remarkably little will change.